Suppose I have two users A and B and a group G and a folder foo, both users are members of G (using linux and ext3).

If I save as user A a file under foo, the permissions are: -rw-r--r-- A A. However it is possible to achieve that every file saved under some subdirectory of foo has permissions -rwxrwx--- A G (i.e. owner A, group G)?

3 Answers
3

You can control the assigned permission bits with umask, and the group by making the directory setgid to G.

$ umask 002 # allow group write; everyone must do this
$ chgrp G . # set directory group to G
$ chmod g+s . # files created in directory will be in group G

Note that you have to do the chgrp/chmod for every subdirectory; it doesn't propagate automatically (that is, neither existing nor subsequently created directories under a setgid directory will be setgid, although the latter will be in group G).

Also note that umask is a process attribute and applies to all files created by that process and its children (which inherit the umask in effect in their parent at fork() time). Users may need to set this in ~/.profile, and may need to watch out for things unrelated to your directory that need different permissions. modules may be useful if you need different settings when doing different things.

You can control things a bit better if you can use POSIX ACLs; it should be possible to specify both a permissions mask and a group, and have them propagate sensibly. Support for POSIX ACLs is somewhat variable, though.

Under Linux, make sure that the filesystem you're using supports ACLs (most unix filesystems do). You may need to change the mount options to enable ACLs: with ext2/ext3/ext4, you need to specify the acl mount option explicitly, so the entry in /etc/fstab should look like /dev/sda1 / ext4 errors=remount-ro,acl 0 1. Run mount -o remount,acl / to activate ACLs without rebooting. Also install the ACL command line tools getfacl and setfacl, typically provided in a package called acl.

Now that the one-time setup is over, change the directory's ACL to give the group write permissions and to make these permissions inherited by newly created files. Under Linux:

If ACLs are not an option, make the directory owned by the group G, and set its permissions to 2775 or 2770: chmod g+rwxs /path/to/directory. The s here means the setgid bit; for a directory, it means that files created in this directory will belong to the group that owns the directory.

You'll also need to set A and B's umask to make all their files group-writable by default. The default umask on most systems is 022, meaning that files can have all permissions except write by group and other. Change that to 002, meaning to forbid only write-by-other permission. You would typically put that setting in your ~/.profile:

Nice answer, but after following all these steps, it seems that when I untar a file, it inherits the permissions of the file as it was inside the .tar file. So I end up with something that works for normal usage, but as soon as someone extracts a .tar file, no one else can edit anything inside it. Do you know if there is anything I can do about that?
–
MikeJun 5 '14 at 22:20

1

@its_me Q1: I show a mount command with the remount option, so it doesn't use fstab. Having acl twice means that the filesystem was mounted with the acl option already, and it harmless. aclis the default for ext4 in recent kernels, by the way (the patch was still brand new back when I wrote this answer). Q2: You can run the commands in either order.
–
GillesJun 18 '14 at 21:30

1

@its_me Yes, your understanding is correct, it's just that it doesn't matter in what order you add the entries
–
GillesJun 18 '14 at 21:39

Note that the default acl behaves like a local umask. Since at least in Linux, umasks are applied globally, this is the only way I know to get the effect of a local umask. For some reason this a little known feature. The net is littered with people asking about a local umask override, but almost nobody seems to think of using acl.

Also note that you need to mount the partition you are working in with acl support, eg.